]>
git.proxmox.com Git - ceph.git/blob - ceph/src/mds/MDSAuthCaps.h
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
4 * Ceph - scalable distributed file system
6 * Copyright (C) 2014 Red Hat
8 * This is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License version 2.1, as published by the Free Software
11 * Foundation. See file COPYING.
16 #ifndef MDS_AUTH_CAPS_H
17 #define MDS_AUTH_CAPS_H
21 #include <boost/utility/string_view.hpp>
24 #include "include/types.h"
25 #include "common/debug.h"
27 // unix-style capabilities
41 bool read
, write
, any
;
43 // True if the capability permits setting vxattrs (layout, quota, etc)
46 MDSCapSpec() : read(false), write(false), any(false), set_vxattr(false) {}
47 MDSCapSpec(bool r
, bool w
, bool a
, bool lop
)
48 : read(r
), write(w
), any(a
), set_vxattr(lop
) {}
50 bool allow_all() const {
54 bool allows(bool r
, bool w
) const {
64 bool allows_set_vxattr() const {
69 // conditions before we are allowed to do it
71 static const int64_t MDS_AUTH_UID_ANY
= -1;
73 int64_t uid
; // Require UID to be equal to this, if !=MDS_AUTH_UID_ANY
74 std::vector
<gid_t
> gids
; // Use these GIDs
75 std::string path
; // Require path to be child of this (may be "" or "/" for any)
77 MDSCapMatch() : uid(MDS_AUTH_UID_ANY
) {}
78 MDSCapMatch(int64_t uid_
, std::vector
<gid_t
>& gids_
) : uid(uid_
), gids(gids_
) {}
79 explicit MDSCapMatch(std::string path_
)
80 : uid(MDS_AUTH_UID_ANY
), path(path_
) {
83 MDSCapMatch(std::string path_
, int64_t uid_
, std::vector
<gid_t
>& gids_
)
84 : uid(uid_
), gids(gids_
), path(path_
) {
88 void normalize_path();
90 bool is_match_all() const
92 return uid
== MDS_AUTH_UID_ANY
&& path
== "";
95 // check whether this grant matches against a given file and caller uid:gid
96 bool match(boost::string_view target_path
,
99 const vector
<uint64_t> *caller_gid_list
) const;
102 * Check whether this path *might* be accessible (actual permission
103 * depends on the stronger check in match()).
105 * @param target_path filesystem path without leading '/'
107 bool match_path(boost::string_view target_path
) const;
114 MDSCapGrant(const MDSCapSpec
&spec_
, const MDSCapMatch
&match_
)
115 : spec(spec_
), match(match_
) {}
122 std::vector
<MDSCapGrant
> grants
;
125 explicit MDSAuthCaps(CephContext
*cct_
=NULL
)
128 // this ctor is used by spirit/phoenix; doesn't need cct.
129 explicit MDSAuthCaps(const std::vector
<MDSCapGrant
> &grants_
)
130 : cct(NULL
), grants(grants_
) { }
132 void set_allow_all();
133 bool parse(CephContext
*cct
, boost::string_view str
, std::ostream
*err
);
135 bool allow_all() const;
136 bool is_capable(boost::string_view inode_path
,
137 uid_t inode_uid
, gid_t inode_gid
, unsigned inode_mode
,
138 uid_t uid
, gid_t gid
, const vector
<uint64_t> *caller_gid_list
,
139 unsigned mask
, uid_t new_uid
, gid_t new_gid
) const;
140 bool path_capable(boost::string_view inode_path
) const;
142 friend std::ostream
&operator<<(std::ostream
&out
, const MDSAuthCaps
&cap
);
146 std::ostream
&operator<<(std::ostream
&out
, const MDSCapMatch
&match
);
147 std::ostream
&operator<<(std::ostream
&out
, const MDSCapSpec
&spec
);
148 std::ostream
&operator<<(std::ostream
&out
, const MDSCapGrant
&grant
);
149 std::ostream
&operator<<(std::ostream
&out
, const MDSAuthCaps
&cap
);
151 #endif // MDS_AUTH_CAPS_H